Researchers uncover months-old POS malware botnet
Posted on 31.01.2014
With the Target and Neiman Marcus breach being all over the news in the last few weeks, the topic of malware that collects card data directly from Point-of-Sale devices has received renewed interest.

The PoS malware used in the former has been identified as a modified version of the BlackPOS malware, but there are other similar ones currently in use out there.

RSA researchers have recently discovered the entire server infrastructure used in a global PoS malware operation that targets retailers in the US, Russia, Canada and Australia, and have managed to access part of it.

The malware in question is the ChewBacca Trojan, which is capable of logging keystrokes and scraping the memory of PoS systems and the card magnetic stripe data they contain.

"RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control server(s), encrypting traffic, and avoiding network-level detection," they noted. "The server address uses the pseudo-TLD '.onion' that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine."

The botnet in question began its work in late October 2013, and it seems to be operated by an individual from a country in Eastern Europe.

"The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months," the researchers noted.

"Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."


Most IT pros have seen potentially embarrassing information about their colleagues

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by AlienVault.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th